Primary

Context

HashiCorp go-slug Zip-Slip Vulnerability Allowing Arbitrary File Write

Vulnerability

Patched

A zip-slip style vulnerability has been identified in HashiCorp's go-slug library, versions prior to 0.16.2. The issue arises when a user-provided path, which does not exist, is extracted from a tar entry. This flaw allows for improper path validation during the extraction process, potentially leading to path traversal attacks where an attacker could write arbitrary files.

Impact

Exploitation of this vulnerability could result in a zip-slip style path traversal, allowing for arbitrary file writes during the extraction of tar entries.

Remediation

Users of the go-slug library should upgrade to version 0.16.3 or later. The latest releases can be found on the HashiCorp go-slug GitHub Releases page.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp go-slug Zip-Slip Vulnerability Allowing Arbitrary File Write

Vulnerability

Impact

Remediation

Affected Products

HashiCorp go-slug

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating